Shopware v6.5.4.0 和 Admin SDK 中出现的意外权限行为

huangapple go评论92阅读模式
英文:

Unexpected permission behavior with Shopware v6.5.4.0 and Admin SDK

问题

对于基于Shopware 6应用系统的我的应用,对于v6.5.3.3一切正常。然而,通过更新Shopware到v6.5.4.0,突然出现了一堆权限错误,尽管我的应用不需要这些权限,因为它不在使用它们。

我甚至没有权限访问我在entities.xml中创建的自己的实体:

这明确发生在使用Admin SDK的[repository service]时。我没有更改我的应用程序中的任何内容,所以我猜Shopware核心中有些东西发生了变化。我还查看了更改日志,但是我找不到任何可能引起这个问题的更改。

不幸的是,我不知道在哪里进行调试,所以我一次性添加了所有这些权限。接下来,它告诉我还要添加创建和删除权限:

所以,这是我的CRUD应用程序的主要障碍。

基本上,我的应用程序使用自定义实体,通过Admin SDK读写数据。没有什么特别的,因此我没有附加任何代码。我很高兴接受任何帮助。也许我在更改日志中漏掉了什么。否则我会创建一个问题。

我使用的是最新的Admin SDK版本3.0.14

编辑:

所以现在我正在尝试在我的代码中添加"includes"以减少负载。首先是我的manifest.xml:

<permissions>
    <read>language</read>
</permissions>

接下来,是我的应用程序中的代码:

async loadLanguages(): Promise<void> {
    this.loading = true;

    try {
        const criteria = new data.Classes.Criteria();
        criteria.addIncludes({
            language: ['id']
        });
        const languages = await this.languageRepository.search(criteria);
        // Not logged
        console.log(languages);
    } catch (err: unknown) {
        if (err instanceof Error) {
            notification.dispatch({
                title: this.$tc('global.default.error'),
                message: err.message,
                variant: 'error'
            });
        }
    }

    this.loading = false;
}

在我的理解中,这应该导致包含只有"id"字段的所有语言的响应,而无需任何进一步的权限。然而,这导致了与以前相同的权限错误。令人惊讶的是,在网络选项卡中我得到了一个200状态代码响应,如下所示:

{
  "data": [
    {
      "id": "0189e919e85e70a783c1305f521820d9",
      "type": "language",
      "attributes": {
        "apiAlias": "language_foreign_keys_extension"
      },
      "links": {
        "self": "http://localhost:8888/api/language/0189e919e85e70a783c1305f521820d9"
      },
      "relationships": [],
      "meta": null
    },
    {
      "id": "2fbb5fe2e29a4d70aa5854ce7ce3e20b",
      "type": "language",
      "attributes": {
        "apiAlias": "language_foreign_keys_extension"
      },
      "links": {
        "self": "http://localhost:8888/api/language/2fbb5fe2e29a4d70aa5854ce7ce3e20b"
      },
      "relationships": [],
      "meta": null
    }
  ],
  "included": [],
  "links": {
    "self": "http://localhost:8888/api/search/language"
  },
  "meta": {
    "totalCountMode": 1,
    "total": 2
  },
  "aggregations": []
}

尽管如此,我的catch块以权限错误拦截它。我还做错了什么?

英文:

So for my app based on the Shopware 6 app system everything worked fine for v6.5.3.3
However, by updating Shopware to v6.5.4.0, I am suddenly getting a bunch of permission errors, even though my app doesn't need them, since it is not using them.

Shopware v6.5.4.0 和 Admin SDK 中出现的意外权限行为

I don't even have permissions to access my own entities which I created in my entities.xml:

Shopware v6.5.4.0 和 Admin SDK 中出现的意外权限行为

This explicitly happens when the repository service of the Admin SDK is used. I did not change anything inside my app, so I guess something in the Shopware core changed. I also took a look at the changelog, however, I couldn't find any change which could cause this issue.

Unfortunately, I don't have any clue where to debug, so for once I added all of these permissions. Next up, it is telling me to also add create and delete permissions:

Shopware v6.5.4.0 和 Admin SDK 中出现的意外权限行为

So, this is a major stopper for my crud app.

Basically, my app uses custom entites, which reads and writes data via the Admin SDK. Nothing special, therefor I did not attach any code. I am glad for any help. Maybe I am missing something from the changelog. Otherwise I will create an issue.

I am using the latest Admin SDK Version 3.0.14


EDIT:

So now I am trying to add the includes to my code in order to reduce the payload. First of all my manifest.xml:

&lt;permissions&gt;
    &lt;read&gt;language&lt;/read&gt;
&lt;/permissions&gt;

Next up, the code in my app:

async loadLanguages(): Promise&lt;void&gt; {
    this.loading = true;

    try {
        const criteria = new data.Classes.Criteria();
        criteria.addIncludes({
            language: [&#39;id&#39;]
        });
        const languages = await this.languageRepository.search(criteria);
        // Not logged
        console.log(languages);
    } catch (err: unknown) {
        if (err instanceof Error) {
            notification.dispatch({
                title: this.$tc(&#39;global.default.error&#39;),
                message: err.message,
                variant: &#39;error&#39;
            });
        }
    }

    this.loading = false;
}

in my understanding this should result in a response with all languages containing just the "id" field without the need of any further permissions. However, this results in the same permission error as before. Surprisingly I am getting a 200 status code response in the network tab like this:

{
  &quot;data&quot;: [
    {
      &quot;id&quot;: &quot;0189e919e85e70a783c1305f521820d9&quot;,
      &quot;type&quot;: &quot;language&quot;,
      &quot;attributes&quot;: {
        &quot;apiAlias&quot;: &quot;language_foreign_keys_extension&quot;
      },
      &quot;links&quot;: {
        &quot;self&quot;: &quot;http://localhost:8888/api/language/0189e919e85e70a783c1305f521820d9&quot;
      },
      &quot;relationships&quot;: [],
      &quot;meta&quot;: null
    },
    {
      &quot;id&quot;: &quot;2fbb5fe2e29a4d70aa5854ce7ce3e20b&quot;,
      &quot;type&quot;: &quot;language&quot;,
      &quot;attributes&quot;: {
        &quot;apiAlias&quot;: &quot;language_foreign_keys_extension&quot;
      },
      &quot;links&quot;: {
        &quot;self&quot;: &quot;http://localhost:8888/api/language/2fbb5fe2e29a4d70aa5854ce7ce3e20b&quot;
      },
      &quot;relationships&quot;: [],
      &quot;meta&quot;: null
    }
  ],
  &quot;included&quot;: [],
  &quot;links&quot;: {
    &quot;self&quot;: &quot;http://localhost:8888/api/search/language&quot;
  },
  &quot;meta&quot;: {
    &quot;totalCountMode&quot;: 1,
    &quot;total&quot;: 2
  },
  &quot;aggregations&quot;: []
}

Nevertheless, my catch block intercepts it with the permission error. What am I still doing wrong?

答案1

得分: 3

权限行为在v6.5.4之前是错误的。这个问题在此版本中已修复。当您现在加载一个应用程序没有权限的实体时,它将抛出此错误。

为了最小化所需的权限,您可以使用Criteria中的includes来减少载荷。对于通过https://shopware.github.io/admin-extension-sdk/docs/guide/api-reference/data/subscribe获取的数据,您可以使用选择器将其减少到仅包含您所需的权限。

英文:

The permission behavior was wrong prior v6.5.4. This was fixed with this version. When you are now loading a entity where the app has no permissions for then it will throw this error.

To minimize the needed permissions you could reduce the payload by using includes in the Criteria. And for the data you get via https://shopware.github.io/admin-extension-sdk/docs/guide/api-reference/data/subscribe you can use the selectors to reduce it only to your needed permissions.

答案2

得分: 0

这是一个影响Shopware平台的问题...

https://github.com/shopware/platform/commit/4203eaa3adc6c69ae3932e1c106fa6914011877b

...并且很可能会在即将发布的小版本v6.5.4.2中得到修复。

英文:

This is an issue affecting Shopware platform...

https://github.com/shopware/platform/commit/4203eaa3adc6c69ae3932e1c106fa6914011877b

...and will most likely be fixed with the upcoming minor release v6.5.4.2

huangapple
  • 本文由 发表于 2023年8月10日 17:24:38
  • 转载请务必保留本文链接:https://go.coder-hub.com/76874355.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定